SlideShare a Scribd company logo

Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018

Codemotion, profile picture
Codemotion

Upgrading a permissionless, consensus-based distributed system like Bitcoin is extremely challenging due to its decentralized nature. Nodes cannot simply be forced to upgrade like in a permissioned system. Instead, upgrades must be implemented carefully as soft forks to maintain backward compatibility and avoid network splits. The transaction malleability problem and need for scaling led to the development of Segregated Witness, which moves signature data out of transactions to allow for soft-fork block size increases and prevent attacks on layer-2 solutions. Overall, distributed consensus systems require innovative technical solutions to upgrade protocols while preserving decentralization.

Technology
1 of 63
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Simone Bronzini CTO @ Chainside simone.bronzini@chainside.net Upgrading a permissionless, consensus-based distributed system
Chainside ● Making simple for eCommerce systems to accept bitcoins ● WIP: Merchant mobile app to receive bitcoins face-to-face ● Open source: ○ btcpy: https://github.com/chainside/btcpy ○ btcnodejs: https://github.com/chainside/btcnodejs
BEN Italia ● 800+ students, researchers and professors as members ● 50+ universities involved ● 17 events organised in 2017 ● 9 startups funded among by members ● a law draft proposed
Consensus: agreeing on a global state PERMISSIONED ● Writing permission is granted by a central authority ● Read permission can either be granted to single subjects or allowed to everyone ● Use traditional, majority based, consensus protocols: Paxos, PBFT, RAFT, etc. PERMISSIONLESS ● Writing permission is paid in scarce resources: nodes propose values (i.e. transactions), miners receive proposed values, and do proof-of-work on them ● Read permission is granted to everyone ● Use proof-of-work. Ongoing research on Stake and Capacity.
Consensus: agreeing on a global state CONs of Paxos & co: ● To have a concept of majority, the number of nodes must be predefined ● Who is a reader and who is a writer must be predefined ● Imagine it permissionless: I can deploy thousands of writers and subvert the network PROs of Bitcoin: ● Nodes and miners can come and go, computational power counts ● I can deploy as many nodes as I want but I need to waste actual computational power to control the network ● Miners are encouraged to not subvert the system by the incentive of mining new blocks
Upgrading a consensus-based system Upgrading Paxos & co: ● shut down all nodes (it’s permissioned, you can do that!) ● upgrade the software ● restart the network Upgrading Bitcoin: ● shut down all nodes... (uhm, how?)
Example of bitcoin upgrades
Backward compatibility - 1
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
Backward compatibility – HOW? In any consensus-based system, nodes follow the same set of rules What happens in case of an upgrade?
Backward compatibility – SCENARIO #1 Whatever happens the network will split!
Backward compatibility – SCENARIO #2 As soon as a blue or yellow block appears, there is no way to recover the split!
Backward compatibility – SCENARIO #3 If the green chain is longer, the network will not split: SOFT FORK
Backward compatibility – SCENARIO #4 As soon as a blue block appears, there is no way to recover the split: HARD FORK
Example of a HARD FORK Increasing the block size: Currently capped at 1MB Years-long debate among bitcoiners ● Problems: ○ increases the propagation delay, makes the network less stable ○ does not scale (imagine 1GB blocks) ○ the blockchain becomes HUGE ○ it’s a hard fork!
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018
Example of a SOFT FORK - 1 Restricting the way transactions are signed: ● For cryptography, Bitcoin uses ECDSA secp256k1curve ● Bitcoin transactions are identified by their hash: 1. Take the whole tx 2. Serialise it 3. Compute the hash 4. That’s the transaction identifier ● Problems: ○ Signatures are included ○ But secp256k1 signatures can be malleated!
Example of a SOFT FORK - 2 ● secp256k1 is an elliptic curve ● a signature is represented as a point on the curve ● let’s see what can go wrong.. A representation of the SECP256k1 curve, projected over real numbers. It is actually in the Zp field.
Example of a SOFT FORK - 3 Transaction A has the following signature: Someone can change the signature to look like this:
Example of a SOFT FORK - 4 New rule: from now on, we only accept signatures on the lower end of the curve Notice: still requires miners coordination!
Miners Coordination ● Miners signal readiness to an upgrade by activating the appropriate bits in the block header ● Example: “for this upgrade set the first 3 bits to 010” ● As soon as a strong majority of blocks have those bits set in the header, the rest of the network knows that the upgrade can be activated (actually slightly more complex than this)
Possible attack: TRANSACTION MALLEABILITY There are many more malleability vectors than the secp256k1signature: It is still possible to sign the same transaction twice with different nonces This results in two semantically equal transactions, with different ids
Transaction Malleability: Why is it a problem? ● User withdraws from wallet ● Wallet sends transaction A with id X (i.e. hash(A) = X) ● User produces transaction A’ so that its id is Y (hash(A’) = Y) ● Y enters a block ● User goes to wallet “Hey, transaction X was never approved, please send me another transaction” ● Wallet: “Oh, sorry, here’s a new transaction for you”
Transaction Malleability: Why is it a problem? ● User withdraws from wallet ● Wallet sends transaction A with id X (i.e. hash(A) = X) ● User produces transaction A’ so that its id is Y (hash(A’) = Y) ● Y enters a block ● User goes to wallet “Hey, transaction X was never approved, please send me another transaction” ● Wallet: “Oh, sorry, here’s a new transaction for you”
Transaction Malleability: LAYER 2 ● Blocks can’t accommodate all the transactions in the long term ● We have seen why we can’t just increase the block size willy-nilly
SOLUTION: Off-chain transactions block n Tx 1 From: Alice To: Bob
SOLUTION: Off-chain transactions block n Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck OFF-CHAIN
SOLUTION: Off-chain transactions block n block n+1 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave OFF-CHAIN
SOLUTION: Off-chain transactions block n block n+1 block n+2 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx (…) From: (…) To: (…) OFF-CHAIN
SOLUTION: Off-chain transactions block n block n+1 block n+2 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx 21 From: Eve To: Bob Tx (…) From: (…) To: (…) OFF-CHAIN
SOLUTION: Off-chain transactions block n block n+1 block n+2 block n+3 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx 21 From: Eve To: Bob Tx 22 From: Bob To: Ted Tx (…) From: (…) To: (…) OFF-CHAIN OPENING CHANNEL CLOSING CHANNEL
TRANSACTION MALLEABILITY TX: B OUT: 0 sig TX D OUT: 3 sig 1 BTC 1 BTC 3 BTC hash(TX) = K TX: K OUT: 0 sig TX K OUT: 2 sig hash(TX) = J TX: J OUT: 0 sig TX J OUT: 1 sig 1 BTC 1 BTC 1 BTC hash(TX) = M 2 BTC 1 BTC TX: B OUT: 0 sig TX D OUT: 3 sig 1 BTC 1 BTC 3 BTC hash(TX) = K TX: K OUT: 0 SIG TX K OUT: 2 sig hash(TX) = J hash(TX) = H TX: J OUT: 0 sig TX J OUT: 1 sig 1 BTC 1 BTC 1 BTC hash(TX) = M 2 BTC 1 BTC
From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A
From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A
From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A From: Ted To: Chuck Tx B’ ScriptSig B’
From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A From: Ted To: Chuck Tx B’ ScriptSig B’
SOLUTION: Segregated Witness Moving signatures out of hash computation
SAVING LAYER 2 block n block n+1 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B Witness A Witness B OFF-CHAIN
SAVING LAYER 2 block n block n+1 block n+2 From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C Witness B Witness C OFF-CHAIN Witness A
SAVING LAYER 2 block n block n+1 block n+2 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C From: Ted To: Chuck Tx B Witness A Witness B Witness C Witness B’ OFF-CHAIN
SAVING LAYER 2 block n block n+1 block n+2 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C From: Ted To: Chuck Tx B Witness A Witness B Witness C Witness B’ OFF-CHAIN
How to deploy SegWit? Changing the transaction structure might easily lead to a network split... ...unless we find a way to make the new transactions valid also for the old nodes!
Transactions before SegWit Tx: 2 From: Bob To: Chuck Tx: 1 ScriptSig From: Alice To: Bob ScriptSig Tx: 3 From: Chuck To: Ted ScriptSig
SegWit transactions Tx: 3 Witness From: Chuck To: Ted Tx: 1 Witness From: Alice To: Bob Tx: 2 Witness From: Bob To: Chuck As seen by upgraded nodes: Tx: 3 From: Chuck To: Ted Tx: 1 From: Alice To: Bob Tx: 2 From: Bob To: Chuck As seen by old nodes:
Additional advantage: soft fork block size increase Tx: 1 ScriptSig Tx: 1 1MB Block ScriptSig Tx: 2 ScriptSig
Additional advantage: soft fork block size increase Tx: 1 Witness Tx: 1 Tx: 2 Tx: 3 Tx: 4 Witness Witness Witness Witness 1MB Block
Summary ● Upgrading a consensus-based, permissionless, system is a nightmare ● Very easy solutions to very easy problems must be deployed in a very complex way ● Extra care needs to be taken when changing consensus rules (they can only be restricted!)
For those who are interested -1 We propose the following thesis topics in collaboration with Sapienza and UZH universities: ● Percolation on graphs and information diffusion in network of blockchain users ● The essential features of a monetary system: a comparison between traditional and blockchain-based systems ● Energy consumption in the Bitcoin system ● Monopolies formation in the Bitcoin system ● Optimal levels of decentralization in blockchain-based systems ● Scalability of on-chain and off-chain solutions ● Consensus protocols: a comparison of classical and blockchain-based approaches
For those who are interested -2 If you like blockchain-related topics, consider joining Blockchain Education Network http://blockchainedu.net/
QUESTIONS? Simone Bronzini CTO @ Chainside simone.bronzini@chainside.net

More Related Content

PDF
Intro. to Lightning Network (Bitcoin/Litecoin) - Blockchain Developers Malaysia
TM Lee
 
PPTX
Technology of Lightning Network in Tel Aviv, Israel
takayaimai
 
PDF
Introduction to Lightning Network
Alan Carbery
 
PDF
Lightning Network
Felix Crisan
 
PPTX
Blockchain presentation
KouTon
 
ODP
CBGTBT - Part 5 - Blockchains 102
Blockstrap.com
 
PPTX
Blockchain. A Guide For Beginners
ElifTech
 
PDF
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Intro. to Lightning Network (Bitcoin/Litecoin) - Blockchain Developers Malaysia
TM Lee
 
Technology of Lightning Network in Tel Aviv, Israel
takayaimai
 
Introduction to Lightning Network
Alan Carbery
 
Lightning Network
Felix Crisan
 
Blockchain presentation
KouTon
 
CBGTBT - Part 5 - Blockchains 102
Blockstrap.com
 
Blockchain. A Guide For Beginners
ElifTech
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 

Similar to Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018 (20)

ODP
Blockchan For Developers
Alex Chepurnoy
 
PPTX
BlockchainConf.tech - Build a private blockchain workshop
Pad Kankipati
 
PDF
Blockchain IoT Night / 25th Oct 2017
Lothar Wieske
 
PDF
Architecture of the Hyperledger Blockchain Fabric - Christian Cachin - IBM Re...
Romeo Kienzler
 
PDF
Blockchain For Developers
Alex Chepurnoy
 
PDF
Bitcoin Blockchain - Under the Hood
Galin Dinkov
 
PDF
Real world blockchains
Dmitry Meshkov
 
PDF
Blockchain - a formal introduction
Sander Demeester
 
PPTX
block chain.pptx
Danish Mahmood
 
PDF
Blockchain: Developer Perspective
Artur Skowroński
 
PDF
Introduction to Blockchain
Muhammad Moinur Rahman
 
PPTX
Introduction to Blockchain Web3 Session
DSCIITPatna
 
PPTX
Segregated witness and bitcoin scaling debate
dalcanto
 
PPTX
Towards a Generalised Blockchain Fabric @ CodeBlock 2018
Alexei Zamyatin
 
PPTX
UNIT 1 (1).pptx of block chain technologies
2k5preethi
 
PPTX
Blockchain - a simple implementation
Commit Software Sh.p.k.
 
PDF
Blockchain overview, use cases, implementations and challenges
Sébastien Tandel
 
PPTX
01 what is blockchain
BastianBlankenburg
 
PDF
Blockchain, Hyperledger, DeFi, Web 3.0 - understanding and concepts
keithfernandez19
 
PPTX
Hyperledger Consensus Algorithms
MabelOza12
 
Blockchan For Developers
Alex Chepurnoy
 
BlockchainConf.tech - Build a private blockchain workshop
Pad Kankipati
 
Blockchain IoT Night / 25th Oct 2017
Lothar Wieske
 
Architecture of the Hyperledger Blockchain Fabric - Christian Cachin - IBM Re...
Romeo Kienzler
 
Blockchain For Developers
Alex Chepurnoy
 
Bitcoin Blockchain - Under the Hood
Galin Dinkov
 
Real world blockchains
Dmitry Meshkov
 
Blockchain - a formal introduction
Sander Demeester
 
block chain.pptx
Danish Mahmood
 
Blockchain: Developer Perspective
Artur Skowroński
 
Introduction to Blockchain
Muhammad Moinur Rahman
 
Introduction to Blockchain Web3 Session
DSCIITPatna
 
Segregated witness and bitcoin scaling debate
dalcanto
 
Towards a Generalised Blockchain Fabric @ CodeBlock 2018
Alexei Zamyatin
 
UNIT 1 (1).pptx of block chain technologies
2k5preethi
 
Blockchain - a simple implementation
Commit Software Sh.p.k.
 
Blockchain overview, use cases, implementations and challenges
Sébastien Tandel
 
01 what is blockchain
BastianBlankenburg
 
Blockchain, Hyperledger, DeFi, Web 3.0 - understanding and concepts
keithfernandez19
 
Hyperledger Consensus Algorithms
MabelOza12
 
Ad

More from Codemotion (20)

PDF
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
PDF
Pompili - From hero to_zero: The FatalNoise neverending story
Codemotion
 
PPTX
Pastore - Commodore 65 - La storia
Codemotion
 
PPTX
Pennisi - Essere Richard Altwasser
Codemotion
 
PPTX
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Codemotion
 
PPTX
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Codemotion
 
PPTX
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Codemotion
 
PPTX
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Codemotion
 
PDF
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Codemotion
 
PDF
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Codemotion
 
PDF
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Codemotion
 
PDF
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Codemotion
 
PDF
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Codemotion
 
PDF
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Codemotion
 
PPTX
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Codemotion
 
PPTX
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
Codemotion
 
PDF
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Codemotion
 
PDF
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Codemotion
 
PDF
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Codemotion
 
PDF
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Codemotion
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Codemotion
 
Pastore - Commodore 65 - La storia
Codemotion
 
Pennisi - Essere Richard Altwasser
Codemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Codemotion
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

Upgrading the Bitcoin protocol - Simone Bronzini - Codemotion Rome 2018

  • 1. Simone Bronzini CTO @ Chainside simone.bronzini@chainside.net Upgrading a permissionless, consensus-based distributed system
  • 2. Chainside ● Making simple for eCommerce systems to accept bitcoins ● WIP: Merchant mobile app to receive bitcoins face-to-face ● Open source: ○ btcpy: https://github.com/chainside/btcpy ○ btcnodejs: https://github.com/chainside/btcnodejs
  • 3. BEN Italia ● 800+ students, researchers and professors as members ● 50+ universities involved ● 17 events organised in 2017 ● 9 startups funded among by members ● a law draft proposed
  • 4. Consensus: agreeing on a global state PERMISSIONED ● Writing permission is granted by a central authority ● Read permission can either be granted to single subjects or allowed to everyone ● Use traditional, majority based, consensus protocols: Paxos, PBFT, RAFT, etc. PERMISSIONLESS ● Writing permission is paid in scarce resources: nodes propose values (i.e. transactions), miners receive proposed values, and do proof-of-work on them ● Read permission is granted to everyone ● Use proof-of-work. Ongoing research on Stake and Capacity.
  • 5. Consensus: agreeing on a global state CONs of Paxos & co: ● To have a concept of majority, the number of nodes must be predefined ● Who is a reader and who is a writer must be predefined ● Imagine it permissionless: I can deploy thousands of writers and subvert the network PROs of Bitcoin: ● Nodes and miners can come and go, computational power counts ● I can deploy as many nodes as I want but I need to waste actual computational power to control the network ● Miners are encouraged to not subvert the system by the incentive of mining new blocks
  • 6. Upgrading a consensus-based system Upgrading Paxos & co: ● shut down all nodes (it’s permissioned, you can do that!) ● upgrade the software ● restart the network Upgrading Bitcoin: ● shut down all nodes... (uhm, how?)
  • 9. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 10. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 11. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 12. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 13. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 14. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 15. Backward compatibility - 2 Transactions produced by old nodes Transactions produced by new nodes
  • 16. Backward compatibility – HOW? In any consensus-based system, nodes follow the same set of rules What happens in case of an upgrade?
  • 17. Backward compatibility – SCENARIO #1 Whatever happens the network will split!
  • 18. Backward compatibility – SCENARIO #2 As soon as a blue or yellow block appears, there is no way to recover the split!
  • 19. Backward compatibility – SCENARIO #3 If the green chain is longer, the network will not split: SOFT FORK
  • 20. Backward compatibility – SCENARIO #4 As soon as a blue block appears, there is no way to recover the split: HARD FORK
  • 21. Example of a HARD FORK Increasing the block size: Currently capped at 1MB Years-long debate among bitcoiners ● Problems: ○ increases the propagation delay, makes the network less stable ○ does not scale (imagine 1GB blocks) ○ the blockchain becomes HUGE ○ it’s a hard fork!
  • 30. Example of a SOFT FORK - 1 Restricting the way transactions are signed: ● For cryptography, Bitcoin uses ECDSA secp256k1curve ● Bitcoin transactions are identified by their hash: 1. Take the whole tx 2. Serialise it 3. Compute the hash 4. That’s the transaction identifier ● Problems: ○ Signatures are included ○ But secp256k1 signatures can be malleated!
  • 31. Example of a SOFT FORK - 2 ● secp256k1 is an elliptic curve ● a signature is represented as a point on the curve ● let’s see what can go wrong.. A representation of the SECP256k1 curve, projected over real numbers. It is actually in the Zp field.
  • 32. Example of a SOFT FORK - 3 Transaction A has the following signature: Someone can change the signature to look like this:
  • 33. Example of a SOFT FORK - 4 New rule: from now on, we only accept signatures on the lower end of the curve Notice: still requires miners coordination!
  • 34. Miners Coordination ● Miners signal readiness to an upgrade by activating the appropriate bits in the block header ● Example: “for this upgrade set the first 3 bits to 010” ● As soon as a strong majority of blocks have those bits set in the header, the rest of the network knows that the upgrade can be activated (actually slightly more complex than this)
  • 35. Possible attack: TRANSACTION MALLEABILITY There are many more malleability vectors than the secp256k1signature: It is still possible to sign the same transaction twice with different nonces This results in two semantically equal transactions, with different ids
  • 36. Transaction Malleability: Why is it a problem? ● User withdraws from wallet ● Wallet sends transaction A with id X (i.e. hash(A) = X) ● User produces transaction A’ so that its id is Y (hash(A’) = Y) ● Y enters a block ● User goes to wallet “Hey, transaction X was never approved, please send me another transaction” ● Wallet: “Oh, sorry, here’s a new transaction for you”
  • 37. Transaction Malleability: Why is it a problem? ● User withdraws from wallet ● Wallet sends transaction A with id X (i.e. hash(A) = X) ● User produces transaction A’ so that its id is Y (hash(A’) = Y) ● Y enters a block ● User goes to wallet “Hey, transaction X was never approved, please send me another transaction” ● Wallet: “Oh, sorry, here’s a new transaction for you”
  • 38. Transaction Malleability: LAYER 2 ● Blocks can’t accommodate all the transactions in the long term ● We have seen why we can’t just increase the block size willy-nilly
  • 39. SOLUTION: Off-chain transactions block n Tx 1 From: Alice To: Bob
  • 40. SOLUTION: Off-chain transactions block n Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck OFF-CHAIN
  • 41. SOLUTION: Off-chain transactions block n block n+1 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave OFF-CHAIN
  • 42. SOLUTION: Off-chain transactions block n block n+1 block n+2 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx (…) From: (…) To: (…) OFF-CHAIN
  • 43. SOLUTION: Off-chain transactions block n block n+1 block n+2 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx 21 From: Eve To: Bob Tx (…) From: (…) To: (…) OFF-CHAIN
  • 44. SOLUTION: Off-chain transactions block n block n+1 block n+2 block n+3 Tx 1 From: Alice To: Bob Tx 2 From: Bob To: Chuck Tx 3 From: Chuck To: Dave Tx 20 From: Ken To: Eve Tx 21 From: Eve To: Bob Tx 22 From: Bob To: Ted Tx (…) From: (…) To: (…) OFF-CHAIN OPENING CHANNEL CLOSING CHANNEL
  • 45. TRANSACTION MALLEABILITY TX: B OUT: 0 sig TX D OUT: 3 sig 1 BTC 1 BTC 3 BTC hash(TX) = K TX: K OUT: 0 sig TX K OUT: 2 sig hash(TX) = J TX: J OUT: 0 sig TX J OUT: 1 sig 1 BTC 1 BTC 1 BTC hash(TX) = M 2 BTC 1 BTC TX: B OUT: 0 sig TX D OUT: 3 sig 1 BTC 1 BTC 3 BTC hash(TX) = K TX: K OUT: 0 SIG TX K OUT: 2 sig hash(TX) = J hash(TX) = H TX: J OUT: 0 sig TX J OUT: 1 sig 1 BTC 1 BTC 1 BTC hash(TX) = M 2 BTC 1 BTC
  • 46. From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A
  • 47. From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A
  • 48. From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A From: Ted To: Chuck Tx B’ ScriptSig B’
  • 49. From: Chuck To: Alice Tx C ScriptSig C From: Ted To: Chuck Tx B ScriptSig B BREAKING LAYER 2 block n block n+1 block n+2 witness A OFF-CHAIN From: Bob To: Ted Tx A ScriptSig A From: Ted To: Chuck Tx B’ ScriptSig B’
  • 50. SOLUTION: Segregated Witness Moving signatures out of hash computation
  • 51. SAVING LAYER 2 block n block n+1 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B Witness A Witness B OFF-CHAIN
  • 52. SAVING LAYER 2 block n block n+1 block n+2 From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C Witness B Witness C OFF-CHAIN Witness A
  • 53. SAVING LAYER 2 block n block n+1 block n+2 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C From: Ted To: Chuck Tx B Witness A Witness B Witness C Witness B’ OFF-CHAIN
  • 54. SAVING LAYER 2 block n block n+1 block n+2 witness A From: Bob To: Ted Tx A From: Ted To: Chuck Tx B From: Chuck To: Alice Tx C From: Ted To: Chuck Tx B Witness A Witness B Witness C Witness B’ OFF-CHAIN
  • 55. How to deploy SegWit? Changing the transaction structure might easily lead to a network split... ...unless we find a way to make the new transactions valid also for the old nodes!
  • 56. Transactions before SegWit Tx: 2 From: Bob To: Chuck Tx: 1 ScriptSig From: Alice To: Bob ScriptSig Tx: 3 From: Chuck To: Ted ScriptSig
  • 57. SegWit transactions Tx: 3 Witness From: Chuck To: Ted Tx: 1 Witness From: Alice To: Bob Tx: 2 Witness From: Bob To: Chuck As seen by upgraded nodes: Tx: 3 From: Chuck To: Ted Tx: 1 From: Alice To: Bob Tx: 2 From: Bob To: Chuck As seen by old nodes:
  • 58. Additional advantage: soft fork block size increase Tx: 1 ScriptSig Tx: 1 1MB Block ScriptSig Tx: 2 ScriptSig
  • 59. Additional advantage: soft fork block size increase Tx: 1 Witness Tx: 1 Tx: 2 Tx: 3 Tx: 4 Witness Witness Witness Witness 1MB Block
  • 60. Summary ● Upgrading a consensus-based, permissionless, system is a nightmare ● Very easy solutions to very easy problems must be deployed in a very complex way ● Extra care needs to be taken when changing consensus rules (they can only be restricted!)
  • 61. For those who are interested -1 We propose the following thesis topics in collaboration with Sapienza and UZH universities: ● Percolation on graphs and information diffusion in network of blockchain users ● The essential features of a monetary system: a comparison between traditional and blockchain-based systems ● Energy consumption in the Bitcoin system ● Monopolies formation in the Bitcoin system ● Optimal levels of decentralization in blockchain-based systems ● Scalability of on-chain and off-chain solutions ● Consensus protocols: a comparison of classical and blockchain-based approaches
  • 62. For those who are interested -2 If you like blockchain-related topics, consider joining Blockchain Education Network http://blockchainedu.net/
  • 63. QUESTIONS? Simone Bronzini CTO @ Chainside simone.bronzini@chainside.net